Left-Right Groups Want Computer Hacking Law Fixed

September 06, 2011

Washington–A left-right group of NGOs and academics has issued a letter calling for Congress to narrow the Computer Fraud and Abuse Act (CFAA) before considering enhancements to penalties imposed under the Act. The letter, sent to Sens. Patrick Leahy (D-VT) and Chuck Grassley (R-IA), was issued in anticipation of the September 7th Senate Judiciary Committee hearings on "Updating the [CFAA] to Protect Cyberspace and Combat Emerging Threats."

The letter points out that the CFAA is vague and overbroad:

The CFAA imposes civil and criminal liability for accessing a protected computer "without" or "in excess of" authorization, but fails to define "authorization." This makes the definition of the precise activities that are punishable unavoidably vague. As a result of this lack of clarity, several courts have used companies’ network terms of use, which lay out contractual constraints on users’ use of those networks, to also define what constitutes criminal behavior on those networks. The consequence is that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.

Penalty enhancement under the CFAA is likely to be a focus of the Senate hearing because only Administration witnesses have been invited, and because the Administration made CFAA penalty enhancement its primary law enforcement recommendation in the cybersecurity area.

The joint letter calls for re-focusing the CFAA on malicious hackers and online criminals, rather than permitting prosecutions and civil actions based on conduct that merely violates an employer’s computer use policy or an Internet service’s terms of use.